Why does your company build applications on Linux, as opposed to other OSes?
Todd Sanders: The OS does not require the type of resources that Windows requires. The overhead is minimized by the kernel's ability to handle high resource loads. In addition, the system provides more tuning features such as those found in the kernel, on the TCPIP stack, memory allocation and disk optimization. Linux has a better development environment with compilers and shells that make application building painless.
What did Snort do well when you used it recently to build a network security application?
Sanders: Wow! Where do I start? It seems that the application is very sensitive to anomalies found on the network. We had to modify the local.rules file to help us with the shortcomings of the application. Acid, Snort, MySQL, PHP and iptables were used in developing a secure and efficient system for our purposes. However, during a number of tests, we were able to pick up scans from Nmap, Ethereal, Sniffer Pro and others. This was essential in identifying the one of the most important aspects of network security: 'Identifying reconnaissance scans,' which allowed us to identify potential threats before they occurred.
What were Snort's shortcomings? How did you work around them?
Sanders: A large number of false positives emerged from the initial setup. However, after sorting through a number of false positives, we were able to come up with a baseline to help identify normal traffic such as Samba, Apache, NcFTP and others. Some tuning is required, but for the most part we found Snort was an excellent tool in identifying possible attacks, ranging from Recon, sshd analysis, FTP attacks, e-mail and DNS retrieval. In addition, there was a problem with Snort rule updates but 'Oinkmaster' [Snort rules update package found on www.snort.org] seemed to resolve that problem by enabling updated rule sets in Crontab. Here's an example:
* 5,23 * * * /usr/local/oinkmaster-1.0/oinkmaster.pl -c /usr/local/snort-2.2.0/rules
Could you describe your work with Nessus -- the free, open source security scanner -- and why you use it instead of some other tool?
Sanders: We use Nessus to help with identifying vulnerabilities with various systems. We've tried using a number of products to help identify and cross-reference our findings, but it seems that Nessus found numerous threats and vulnerabilities that LANguard, ISS, and WebTrends did not. One example, we found misconfigured DNS services running on one of our servers. In addition, Nessus made suggestions to remove TCP port 137 and 445. We found that most helpful in our analysis that it was able to identify a misconfigured service.
Again, we don't depend on single solutions, but a matrix of different software applications. As with Snort, we are able to update the signatures using a Perl script provided by Nessus. We found Nessus to be the best choice for users when it comes to price, analysis, recommendations and reporting improvements.
Are there shortcomings in Nessus that have caused problems for you?
Sanders: Overall, we are happy with the results that Nessus has provided. The only negative side that surfaced was from 'gtk+' files not found. To get past that, the user must have an in-depth knowledge of Unix or Linux.
Could you offer some tips to IT shops that want to use open source tools for building network security systems and securing their networks?
Sanders: My tips are simple: Download Ethereal from the Internet and use it to baseline network traffic. In addition, run Nessus in the background to identify holes and vulnerabilities. Secondly, configure iptables on the network to lock down servers and port access. Third, run Snort in the background to identify anomalies and possible attacks on the inside and outside of the firewall. Fourth, put together a centralized log server analyzed everyday by a file called "'ogwatch.' Logwatch gives the user the ability to review summary or detailed log reports. There are a number of key features, if configured properly, that can be a powerful tool to identify changes on the network, which can be e-mailed to the network administrator. Finally, review policy and procedures on a quarterly basis to make sure company rules are followed if there was an unforeseen change.
I would recommend setting up the server using MySQL to help with the analysis for archival and baseline purposes. In addition, I would start training individuals on the importance of security. For instance, have them read Hacker's Secret's version 3.
If a company changes their business model, it should be based on enabling the highest levels of security, then taper off to allot for functionality. That is where Linux [Red Hat Enterprise and 9] come into play because of the kernel's ability to handle heavy resource loads.